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Abstract. Ttie influence of imperfections on achievable secret-key generation rates of quantum key dis- 
tribution protocols is investigated. As examples of relevant imperfections, we consider tagging of Alice's 
qubits and dark counts at Bob's detectors, while we focus on a powerful eavesdropping strategy which takes 
full advantage of tagged signals. It is demonstrated that error correction and privacy amplification based 
on a combination of a two-way classical communication protocol and asymmetric Calderbank-Shor-Steane 
codes may significantly postpone the disastrous infiuence of dark counts. As a result, the distances are 
increeised considerably over which a secret key can be distributed in optical fibres reliably. Results are 
presented for the four-state, the six-state, and the decoy-state protocols. 

PACS. 03.67.Dd Quantum Cryptography - 03.67.Hk Quantum Communication 



1 Introduction 

The unconditional security of the four-state ^ and the 
six-state quantum-key-distribution (QKD) protocols 
has been addressed by many authors (see e.g., EEBHl 
E]). Although such security proofs allow for the most gen- 
eral eavesdropping attacks consistent with quantum the- 
ory (so-called coherent or joint attacks), they impose cer- 
tain constraints on possible imperfections in the source 
and the detectors used in the protocol by the two legiti- 
mate users (Alice and Bob). One way to deal with such 
imperfections is to absorb their effect into the attack em- 
ployed by a potential eavesdropper (Eve). In this spirit, 
most of the security proofs assume that any flaws due to 
imperfections in the source and/or the detectors do not 
depend on the bases used in the protocol i.e, they do not 
reveal any information about the basis-choice to Eve. Un- 
fortunately, such security proofs are not directly applica- 
ble to practical implementations of the protocols as typical 
imperfections can be basis-dependent T . 

In particular, due to the lack of efficient single-photon 
sources, most of the current realizations of QKD protocols 
use as information carriers weak coherent pulses (WCPs), 
with a sufficiently low probability of containing more than 
one photon [H]. Multiphoton pulses, however, threaten the 
security of 1;he QKD protocols as they can be exploited 
cleverly by Eve to gain perfect information about part of 
the exchanged random key without being detected "10~ir . 
To this end, she may launch the so-called photon-number- 
splitting (PNS) attack which, after the announcement of 
the bases used during preparation, enables her to obtain 
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full infornration about the bit encoded in each of the mul- 
tiphoton pulses 10 , 11 . In that respect, each multipho- 
ton signal can be viewed as a tagged signal (qubit) which 
will yield its complete information to Eve without intro- 
ducing detectable errors in the sifted key. Finally, even 
today's available single-photon detectors are not ideal [H]. 
At telecommunication wavelengths, for example, detection 
efficiencies are typically much smaller than unity while 
high dark-count rates severely limit the maximum dis- 
tances over which a secret random key can be distributed 
by means of optical fibers Pll()mim2j . 

In an effort to bring unconditional security proofs closer 
to practical QKD implementations, recent proofs relax the 
assumption about basis- independent eavesdropping [51ll3 | . 
In this context, Gottesman, Lo, Liitkenhaus, and Preskill 
(GLLP) derived a general expression for the asymptot- 
ically achievable secret-key generation rate for the four- 
state protocol, under the assumption of weakly basis-dependent 
eavesdropping attacks 'W . Among many types of imperfec- 
tions, the GLLP unconditional security proof takes into 
account possible tagging at Alice's source. From the tech- 
nical point of view, the GLLP investigation concentrates 
on CSS-based post- processing i.e., error correction and 
privacy amplification protocols involving one-way classical 
communication only and whose achievable secret-key rates 
result from random encoding and decoding by asymmet- 
ric Calderbank-Shor-Steane (CSS) quantum codes ^^. In 
fact the security is first established in the framework of 
an associated protocol based on a CSS-like one-way en- 
tanglement purification protocol (see definition 4 of Ref. 
^[), which is mathematically equivalent to CSS quantum 
codes ^j . Subsequently, the entanglement-based protocol 
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is reduced to the standard four-state prepare-and-measure 
scheme without compromising security. 

Motivated by these results, in this paper we investi- 
gate to which extent maximum achievable distances of 
secret-key distribution in the presence of imperfections, 
can be increased by additional use of an error-rejection 
procedure involving two-way classical communication. For 
this purpose we concentrate on the aforementioned types 
of experimentally relevant imperfections namely, tagging 
of qubits at Alice's source, dark counts, low efficiency of 
Bob's detectors and losses in the quantum channel con- 
necting them. As a particular example of an error-rejection 
procedure we adopt the so-called B-steps of the recently 
proposed two-way post-processing protocol of Gottesman 
and Lo |15| . In our subsequent investigation we discuss 
the four-state, the six-state, and the decoy-state 17,18 
QKD protocols. As a main result it will be demonstrated 
that with the help of a succession of B-steps followed by 
a CSS-bascd post-processing, the achievable distances of 
secret-key generation in optical fibers can be enhanced 
significantly. 

This paper is organized as follows: In Section |21 we 
briefly recapitulate basic facts about practical QKD im- 
plementations and highlight the main (disastrous) effect 
of dark counts on the rates for secret-key generation. In 
Section 13 we discuss the quantum state of Alice and Bob 
after a powerful eavesdropping attack which takes into 
account tagged signals, losses and dark counts at Bob's 
detection unit. In Section^ the influence of B-steps onto 
this quantum state and its resulting secret-key generation 
rate is investigated. For this latter purpose we focus on a 
post-processing protocol combining B-steps and asymmet- 
ric CSS codes. The degree to which such a post-processing 
can suppress the disastrous effect of dark counts on the 
rates for secret-key generation is investigated numerically. 



2 Practical QKD implementations 

In this section, for the sake of completeness, we briefly 
summarize basic facts about practical QKD, which are 
essential for the subsequent discussion. In particular, we 
establish a model for possible imperfections in practical 
implementations of the four- and the six-state QKD pro- 
tocols, and discuss asymptotic secret-key generation rates. 



2.1 Ideal QKD protocols 



BB84 and 2/3 for the six-state protocol) bits originated 
from measurements in bases different from the prepara- 
tion ones. Finally, Alice and Bob post-process this sifted 
key to distill a secret key. The post-processing stage typi- 
cally involves error-correction and privacy ampliflcation. 

Following |51ITH] . throughout this work we adopt the 
equivalent entanglement-based versions of the prepare-and- 
measure schemes ^19-20^ . based on a two-way CSS-like 
entanglement purification protocol (EPP). Let us start by 
recapitulating briefly the main steps involved in them. Al- 
ice prepares N qubit-pairs in the Bell state 1$+)®^ |2H . 
where |$+) = (|0)a«) |0)b + |1)a«) |1)b)/V2 is a simulta- 
neous eigenstate of the two Pauli operators X^ ® Xb and 
Za ® Zb, where Z = |0)(0| - |1)(1| and X = |0)(1| + 
|1)(0| . She keeps half of each pair (denoted by A) and 
sends the other half (denoted by B) to Bob in one of the, 
say /3, possible MUBs. In other words she applies a random 
rotation TZ^, where the random variable b S {0, ■ ■ ■ , f3} 
jl5| . From now on, we refer to the eigenstates of Z, i.e. 
{ |0), |1)}, as the Z-basis (computational basis). As is well 
known, the two MUBs {(3 — 2) involved in the four-state 
protocol Uj are related via the Hadamard transforma- 
tion n = E^ji-^y N)01 /\/2 where i,j G {0, 1} [1122, 
while the three MUBs (/3 = 3) of the six-state protocol 
[21 are related via successive actions of the unitary opera- 
torr = E, [|j)(0| - i(-l)^' |j)(l|] /V2 liaSa. Hence, in 
the former case TZb — Tie whereas in the latter TZ^ = '^b ■ 

After Bob has received all the transmitted qubits, Al- 
ice announces the sequence of rotations she performed and 
Bob undoes all of them. Subsequently Alice and Bob ran- 
domly permute their qubit-pairs so that their resulting A^- 
pair quantum state becomes permutation invariant. They 
select a random subset of their pairs and they measure 
each one of them along the Z-basis, to estimate the qubit 
error probability S of the residual qubit-pairs ^21 ■ K <^ ex- 
ceeds a certain threshold, secret-key distillation cannot be 
guaranteed and the protocol is aborted. Otherwise, Alice 
and Bob perform a two-way CSS-like EPP to extract pure 
(high-fidelity) entangled pairs, which they measure along 
the Z-basis to obtain the final secret key. Most impor- 
tantly, if the applied two-way CSS-like EPP (such as the 
one considered in the subsequent discussion) fulfills the 
requirements of Theorem 6 in Ref. |15| , the entanglement- 
based protocol can be reduced to a prepare-and-measure 
scheme without compromising the security. The results 
we are going to present therefore also apply to the corre- 
sponding prepare-and-measure schemes. 



Let us start with a summary of the ideal prepare-and- 
measure four-state and six-state QKD protocols, which 
typically involve three stages. In the distribution stage, Al- 
ice encodes her random bit-string in a random sequence 
of non-orthogonal signal states (e.g., polarized single pho- 
tons) . Such a preparation involves two mutually unbiased 
bases (MUBs) in the four-state protocol and three in the 
fully symmetric six-state protocol. A first raw key is estab- 
lished when Bob measures each received signal at random 
in one of the possible bases and registers his outcomes. In 
the sifting stage, Alice and Bob reject all (ideally half for 



2.2 A model for imperfections and losses 

Typical QKD implementations deviate from the ideal pro- 
tocols mainly in two respects: the signal sources are not 
ideal and the link (channel and detectors) between the two 
legitimate users is lossy and noisy. The model we adopt 
throughout this work for the description of such imperfec- 
tions has been discussed thoroughly in the literature O 
I1(JII11II12| . Here, for the sake of completeness, we briefly 
summarize its main ingredients. 
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We consider an imperfect source which with probabil- 
ity Ptag produces tagged qubits (signals), in the sense that 
Eve is capable of extracting from these qubits the infor- 
mation which random rotation (basis) has been used by 
Alice on them before their submission to Bob. Thus, Eve is 
able to measure each one of these qubits in such a way that 
she can unambiguously determine its quantum state with- 
out disturbing it i.e., without introducing any detectable 
errors. On the contrary, the remaining untagged (ideal) 
qubits which are produced by our source with probability 
1 ~ Ptag, do not reveal any information to Eve and any 
intervention of her (consistent with quantum mechanics) 
affecting them will eventually introduce errors. Hence, the 
overall bit-error rate estimated by Alice and Bob during 
the verification test [23^ is basically due to untagged qubits 
only i.e., 5 = {\ — Ptag)<5b,u, where <5b,u is the probability 
with which an untagged qubit contributes to the overall 
bit-error rate. Given the symmetry between all the bases 
used in the QKD protocols under consideration, we expect 
for the corresponding phase-error probability (5p.u — (5b, u 
i.e., 5p,u = 5/(1 -ptag). 

A practically relevant special case of tagging is the 
signal sources currently used in various realistic setups, 
which produce polarized phase-randomized WCPs PllOL 
I11II12J . In this case, the photon number distribution p^ (i = 
0, 1, ...) of each pulse is Poissonian, i.e. pi ~ exp (— /i) /i*/i! 
with ji denoting the mean photon-number in the pulse. 
Alice, therefore, encodes each of her random bits in a po- 
larized WCP which is sent to Bob. However, in addition 
to single-photon pulses such a source may produce mul- 
tiphoton pulses and in that respect it deviates from the 
ideal single-photon source. More precisely, single-photons 
are produced with probability pi while multiphoton pulses 
with probability ptag = ^ — Po — Pi- As will be explained 
in detail later on. Eve can obtain full information on all 
the bits encoded in multiphoton pulses by means of the 
so-called PNS attack. For a source producing WCPs there- 
fore, multiphoton and single-photon pulses can be viewed 
as tagged and untagged qubits, respectively. Typically in 
WCP-based QKD implementations /i is chosen sufficiently 
small, so that the WCP source imitates an ideal single- 
photon source as close as possible jH). The limitations of 
our model for the source will be discussed later on in Sec- 
tion 

In addition to imperfect signal sources, realistic setups 
involve imperfect quantum channels and detectors. As a 
result, the raw-key rate Poxp (i-e., the probability for a 
single detection event to occur at Bob's site), is in gen- 
eral distance-dependent and less than unity. More pre- 
cisely, Pcxp has contributions from both real signals ar- 
riving at Bob's detector and dark counts. In the adopted 
model, and for the aforementioned WCP source, actual 
signals trigger Bob's detector with probability P^^^^ = 
1 — exp (— /xr7c??det), where rjc and r^det denote the trans- 
mission efficiency of the relevant quantum channel and 
the detection efficiency of Bob's detector, respectively. For 
QKD implementations at telecommunication wavelengths, 
rydot ~ 0.1 — 0.2 and /x <C 1 while the quantum channels 



are optical fibers for which 



V^ 



= lQ-{al+L,)/W_ 



(1) 



Thereby, a denotes a polarization independent loss coef- 
ficient of the fiber, I is the length of the fiber, and Lc 
characterizes a distance-independent loss of the channel. 
Moreover, the total dark-count probability for Bob's de- 
tection unit involving two identical detectors is i^clcp'^ ~ 
10"'' - 10"^ Hence, we typically have Pl0mim2| 
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Clearly, for an ideal link involving a lossless quantum 
channel and ideal detectors we have Pexp = 1 — e"^. 

The overall bit-error rate in the sifted key has also two 
contributions and is modeled by |^10II11II12| 



6 = (5opt + (5, 



3dct 



-50 P^^' 



_1 pdark 
2 cxp 



(3) 



The first contribution is independent of the transmission 
distance and is a measure of the optical quality of the 
whole setup. In particular, the constant 5a accounts for 
possible alignment errors, polarization diffusion or fringe 
visibility. The second contribution (Jdet, originates from 
dark counts at Bob's detectors, with the factor 1/2 indi- 
cating that a dark count represents one of the two possible 
random measurement results of Bob. Hence, an error will 
be generated in half of the cases only. In the most pes- 
simistic scenario usually adopted in security proofs, all 
the error rate 5 is attributed to Eve. 

Finally, any imperfections, losses, and noise signifi- 
cantly affect the fraction of tagged qubits arriving at Bob's 
site. In general, the new (effective) tagging probability Z\, 
can be expressed in terms of the parameters character- 
izing the channel, the source and the detectors. An up- 
per bound on A, for example, may be obtained by the 
following consideration, in the case of a photon source 
emitting phase-averaged WCPs 10,11 . An eavesdropper. 
Eve, with unlimited power may not only obtain perfect 
information about all the classical bits originating from 
multiphoton pulses but she may also increase the fraction 
of these multiphoton pulses as much as possible without 
affecting Bob's expected click-rate probability. For this 
purpose she can replace the lossy quantum channel by 
a perfect one (i.e., rjc = 1) so that all multiphoton pulses 
are transmitted perfectly. In order to keep Poxp constant 
she has to block an appropriate number of single-photon 
pulses. Thus, the maximum probability of tagged pulses 
arriving at Bob's detector, which Eve can have perfect 
knowledge about, is given by [ITiHTT] 



A'. 



1- (H-//)exp(-^) 



(4) 



cxp 



while the corresponding probability for single-photon pulses 
is given by (1 — Z\), so that they sum up to unity. 
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2.3 Asymptotic secret-key generation rates 

As shown by GLLP in Ref. |Q, losses and weak basis- 
dependent imperfections such as tagging do not render 
any of the QKD protocols under consideration insecure, 
but they affect the rates for secret-key generation. More 
precisely, for one-way CSS-based post-processing it has 
been shown that a secret key can be generated by Alice 
and Bob with the asymptotic rate 



Rcss 



cxp 



[l-A-H{S)^il-A)H(dp^^)], (5) 



where H(x) := — a;log2 x— (1 — x) log2(l — x) is the binary 
Shannon entropy. 

Let us briefly analyze the quantities entering this ex- 
pression. First of all, in the most pessimistic scenario, all 
the errors detected by Alice and Bob during the verifi- 
cation test are due to Eve's intervention. Furthermore, 
assuming that Eve has maximized the contribution of the 
tagged qubits in the sifted key by replacing the lossy chan- 
nel with a perfect one, the estimated bit-error rate ap- 
pearing in (jSJ is now given hy S — {1 — A)Sh,u, while the 
phase-error probability for an untagged qubit reads 



6p,u^d/il-A), 



(6) 



accordingly. The raw- key rate is given by lI2Jl, while the 
factor 1//3 accounts for the fraction of the raw bits pass- 
ing the sifting procedure in a typical prepare-and-measure 
scheme. Clearly, for the four-state (two-basis) QKD pro- 
tocol we have (3 = 2, whereas for the six-state (three- 
basis) protocol (3 = 3. Moreover, it has to be noted that 
for post-processing procedures taking into account possi- 
ble correlations between bit-flip and phase error, the rate 
l|^ can be improved "K . However, throughout this work 
we adopt for both protocols the worst-case scenario which 
corresponds to having no such correlations thus implying 
zero mutual information between bit-flip and phase errors. 
Typical behavior of the secret-key generation rate as 
a function of the distance (i.e., the length of the optical 
fiber I) is depicted in Figure ^ Using equations H1I4|) and 
(O, we plot the rate i?css (as determined by equation [Sj 
for the four- and the six-state QKD protocols. A sudden 
drop of the key generation rate at about 25 km is clearly 
apparent in both protocols. A comparison with the corre- 
sponding secret-key generation rate of the four-state QKD 
protocol in the absence of dark counts (dotted curve) ex- 
hibits that this drop originates from dark counts. Indeed, 
in the case of a lossy quantum channel, the contribution 
to S due to signals decreases with increasing I, so that 
eventually almost all the contributions to the error rate 
S originate from dark counts. At the critical distance of 
25 km the contribution of dark counts becomes dominant 
and almost all the key is lost by error correction and pri- 
vacy amplification pill(J| . The critical distance turns out 
to be the same for the two protocols as a result of equation 
|(SJ) which was used for both of them. However, as discussed 
in [S] , the secret-key rate for the six-state protocol can be 
improved by means of a post-processing procedure which 




Distance [km] 

Fig. 1. Achievable secret-key rates as given by equation ^, 
for non-ideal implementations of the four-state (full curve) and 
the six-state (dot-dashed curve) QKD protocols: Error cor- 
rection and privacy amplification are performed by means of 
asymmetric CSS codes which involve one-way classical commu- 
nication only. The vertical lines indicate the maximum allowed 
distances for secret-key generation as determined by equation 
||7|l for the four-state (solid line at ~ 42 km ) and the six- 
state protocol (dot-dashed line at ~ 50 km). Also shown is the 
secret- key rate of the four-state protocol in the absence of dark 
counts (dotted curve). All relevant parameters are chosen as 
in the experiment of Ref. [2^ i.e., a = 0.2dB/km, Lc = IdB, 
<5o = 1%, Pc^p^ = 2 X 10"", ?7dot = 0.18. At each distance the 
mean number of photons /i is optimized such that the corre- 
sponding rate is maximal. 



takes into account correlations between bit-flip and phase 
errors. 

An upper bound on achievable distances can be ob- 
tained from the maximally tolerable error rates for single- 
photon pulses 9,10 . More precisely, given that Eve has 
full information on the error-free part of the key stem- 
ming from multiphoton pulses, Alice and Bob can extract 
a secret key only if they can prove the presence of quan- 
tum correlations (provable entanglement) in the remain- 
ing part of the sifted key originating entirely from single- 
photon pulses J26II27J . However, this is possible only if the 
corresponding (rescaled) error rate (5/(1 — A) does not ex- 
ceed 1/4 for the four-state and 1/3 for the six-state QKD 
protocol i.e.. 



(l-A) 



< 



(til 
2(3 ' 



for /3e{2,3}. 



(7) 



This is a generalization of the necessary conditions for 
secret-key generation in the context of the four- and the 
six-state protocols respectively, in the absence of tagging 
|22ll2HII27j . Indeed, an intercept-resend eavesdropping at- 
tack can always break entanglement between Alice and 
Bob giving rise to an error rate 6 > {1 ~ A){(3 — l)/2(3. 

The necessary condition ((JJ) limits the distances up 
to which a secret key can be distilled since both A and 
5 depend on the length of the optical fiber connecting 
Alice and Bob. This bound is indicated in Figure H by 
the solid vertical line for the four-state and by the dot- 
dashed vertical line for the six-state protocol. In Section 
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01 we will demonstrate how the gap between these borders 
and the drop of the secret-key generation rates due to dark 
counts can be decreased considerably by applying a two- 
way error-rejection procedure before switching to one-way 
CSS-based post-processing. Before that, we have to derive 
the quantum state shared between Alice and Bob at the 
end of the distribution stage. 



3 Formulation of QKD with tagged qubits 

In order to derive the quantum state of Alice and Bob 
immediately before the post-processing stage under a re- 
alistic scenario, we have to take into account the influence 
of a tagging source and possible imperfections in the link 
(quantum channel and detectors). Most importantly, we 
also have to consider in detail Eve's strategy which can, 
in principle, take full advantage of all imperfections and 
losses. Following |51[T3] . we adopt the entanglement-based 
version of the four- and the six-state QKD protocols de- 
scribed in Section im 



3.1 An optimal eavesdropping strategy 

Consider the tagging scenario described at the end of Sec- 
tion |^21 in which tagged qubits arrive at Bob's site with 
probability A. Let also N be the total number of qubit- 
pairs shared between Alice and Bob at the end of the 
distribution stage. For sufficiently large values of iV, we 
expect that iVu ~ (1 — A)N pairs involve untagged qubits 
and Nt ~ AN pairs involve tagged qubits (to be referred 
to hereafter as the tagged qubit-pairs). In general, the 

form of the reduced state of all N pairs, pl^t , depends on 
the eavesdropping attack employeed by Eve. 

As we discussed earlier, a tagged qubit reveals to Eve 
its basis of preparation i.e., which random rotation has Al- 
ice applied on it before its submission to Bob. Thus, Eve is 
able to measure each tagged qubit in such a way that she 
can unambiguously determine its quantum state without 
disturbing it i.e., without introducing any errors. On the 
contrary, the remaining untagged qubits are ideal for Alice 
and Bob, in the sense that they do not reveal any informa- 
tion to Eve. In particular, given that each untagged qubit 
is randomly prepared in non-orthogonal states, informa- 
tion gain for Eve is only possible at the expense of disturb- 
ing its state, thus introducing errors in the sifted key 20 . 
It has to be noted here that in the model under consid- 
eration, the source simply tags any AN of the signals in 
an uncorrelated and independent way. In other words, we 
do not allow for coherent superpositions of tagging pro- 
cedures or other highly correlated basis-dependent imper- 
fections IS] . Moreover, we assume that apart from the tag- 
ging scenario we have just described, the source behaves 
in a perfect way while the tagged signals do not convey 
any information about the untagged ones. In this frame- 
work, we restrict ourselves to a particular class of powerful 
eavesdropping strategies where Eve treats tagged and un- 
tagged qubits separately. Indeed, tagging allows Eve to 



attack a fraction of the qubits without introducing errors. 
Any other eavesdropping strategy which is consistent with 
quantum mechanics and does not take into account the 
tagging may only result in higher error rates in the sifted 
key. Finally, given that Eve can have full information on 
all the bits encoded in tagged qubits, she may launch the 
most powerful attack i.e., a coherent attack, on the re- 
maining untagged qubits to extract as much information 
as possible about the final key. 

Therefore, as long as Eve attacks the sets of tagged 
and untagged qubits separately, these sets are not entan- 
gled between each other. From now on, the reduced state 
of all tagged qubit-pairs is denoted by p^ whereas the 
corresponding state of all untagged qubit-pairs is denoted 

by pu " . Our task is to estimate the precise form of these 
states and to this end we have to consider a particular 
tagging scenario. 



3.1.1 Attack on tagged qubits 

We will focus on the practically relevant special case of 
tagging discussed in Section 12.21 that is, a source which 
produces phase-randomized WCPs. For each multiphoton 
pulse sent by Alice to Bob, first of all Eve can measure the 
photon number. She can do this by means of a quantum 
non-demolition measurement without introducing any dis- 
turbance. In a second step. Eve can extract from each of 
these multiphoton pulses one photon, as described in the 
appendix of Ref . |10| , which is stored in a quantum mem- 
ory while the remaining signal is sent to Bob. After the 
announcement of the bases used during preparation. Eve 
measures each of her photons in the correct basis and ob- 
tains full information about the corresponding encoded 
bit. 

Clearly, by such a PNS attack Eve can eventually de- 
termine all the key bits which originate from multiphoton 
pulses without introducing any bit-flip errors. Moreover, 
she may adjust her attack so that her intervention re- 
mains undetected, even if Alice and Bob proceed to moni- 
tor the complete photon- number distribution |21]. Hence, 
the PNS attack turns out to be Eve's optimal attack on 
the multiphoton pulses jTUj. 

Now we turn to estimate the reduced state of Alice 
and Bob for all tagged qubit-pairs, p\ . Since Eve at- 
tacks each tagged pair individually, we have p[ ' — a"^^^ . 
Therefore, it is sufficient to consider one of these qubit 
pairs. After Bob has undone the rotation applied by Al- 
ice on his qubit, the purified quantum state of a tagged 
qubit-pair for which Bob's half has suffered a PNS attack 
is of the form 

|x)abe = -= (|0)a ® |0)b ® |6)e + |1)a ® |1)b ® |i)E) 
V2 

^_L(|$+)®|0)E + |<i>-)®|l)E). (8) 

This state can be obtained, for example, in the context of 
the Jaynes-Cummings Hamiltonian discussed in the ap- 
pendix of Ref. Pni- Thereby, Eve's pure ancilla states 
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|0>E - (|0>E + |i>E)/V2 and |1)e = (|0)e - |i)E) /V2 
are orthogonal. The BeU state |$~) = (|0)a<X'|0)b- 
|1)a ® |1)b)/'\/2 characterizes the phase errors introduced 
by Eve's ideal attack. The equal amplitudes of magnitude 
l/\/2 reflect the fact that Eve does not perturb Alice's 
and Bob's measurement statistics by her attack. Corre- 
spondingly, the reduced quantum state of Alice and Bob 
resulting from such an ideal attack is a random mixture 
of the ideal Bell state | <&"'') and the corresponding phase- 
flipped Bell state |$~), i.e., 



a^i(|$+)($+| + |ci>-)(ci>-|). 



(9) 



The separability of the state ^ reflects the fact that Eve 
has a perfect copy of Bob's qubit and thus secret-key dis- 
tillation is impossible | 22u26u27| . 

3.1.2 Attack on untagged qubits 

Being able to obtain full information on the fraction of 
the key originating from tagged qubits. Eve may attack 
the remaining A'^^i untagged qubits coherently in order to 
obtain additional information on the final key. In general, 
at the end of such a coherent attack the reduced state of 
the untagged pairs pu " has a rather complicated form. 
In particular each pair can be entangled with Eve's ancilla 
as well as with other untagged qubit-pairs. 

However, the key point is that Alice and Bob randomly 
permute all their (tagged and untagged) pairs immediately 
after Bob has announced the reception of all his qubits. 
As a result, the state pu " becomes permutation invari- 
ant. Hence, according to Lemmas 2 and 3 (including the 
related proofs) of Ref. 2SI> it suffices for our purposes to 
consider uncorrelated Pauli attacks only, where Eve ap- 
plies a random Pauli operator independently on each sub- 
mitted qubit. In particular, she applies X with probability 
gx, Z with probability q^, y = \XZ with probability ^y, 
and the identity X with probability q\ = l—q^—qy^qz- The 
resulting state of an uncorrelated Pauli attack is therefore 

of the form pu = r®''^", where the single-pair state r is 
diagonal in the Bell-basis 1^ i.e.. 









(10) 



Note now that due to Alice's random rotation the 
quantum state t is also rotation invariant i.e., it is sym- 
metrized with respect to the corresponding group of uni- 
tary transformations G = {TZ^ iS) TZ^ \ b = 0, ...,/3}. 
This symmetry, implies additional constraints on the (er- 
ror) probabilities (9x,9y,9z) of the state H10() . In particu- 
lar, for the four-state protocol we have ^x = Qz whereas 
for the more symmetric six-state protocol Qx — Qy — <lz- 
Thereby, these symmetry constraints are characteristic for 
the two(three) MUBs used in the four(six)-state QKD 
protocol. It is worth noting, however, that this rotation- 
invariance does not apply to the case of PNS attacks, as 
the tagged qubits inform Eve about their bases of prepara- 
tion. Eve can always therefore follow the rotations applied 
by Alice and remain undetected. 



3.2 Alice's and Bob's point of view 

Let us now assume that Alice and Bob do not have Eve's 
technology and thus are not able to distinguish between 
tagged and untagged qubit-pairs. In other words, from 
their point of view all the pairs are equivalent. They only 
know that their imperfect source produces ideal qubits 
with some probability, and tags the qubits otherwise. For- 
mally speaking, Alice and Bob share N qubit-pairs in the 
quantum state 



Ftot 



n 



^®N^ 



n\ 



(11) 



where the summation runs over all possible permutations 
and expresses Alice's and Bob's ignorance about the pre- 
cise location of the tagged pairs within the block of N 
pairs. In the limit of large N we have N-^ « (1 — A)N and 
A't ~ AN , thus obtaining from equation (|ll|l 



AN) 
rtot 



P 



®N 



where 



p = Aa+{1- A)t. 



(12) 



(13) 



An easy way to see this, is by using the binomial theorem 
since the density operators a and r commute. 
Hence, in view of the state (I12llr 



I , the overall bit-error 
rate estimated by Alice and Bob during the verification 
test by random pair-sampling and measurements along 
the Z-basis j22 is given by 



<5 = (l-/l)(5b,u = (l-/i)(9x + gy), 



(14) 



where (5b, u is the error probability for a single untagged 
pair as determined by its state (|ll)|) . In view of the sym- 
metry between all the bases used in the protocols we also 
have for the phase-error probability of the untagged pairs 

'5p,u = (^b^u- 

Having derived the state shared between Alice and Bob 
at the beginning of the post-processing stage, we now turn 
to discuss asymptotic secret-key generation rates in the 
context of a two-way CSS-like EPP. 



4 Increasing secure distances using two-way 
post-processing 

In this section, we demonstrate how one can suppress the 
disastrous effect of dark counts (exhibited as a sudden 
drop of -Rcss in Figure^, thus increasing the distance 
over which a secret key can be distributed. Our approach 
relies on a two-way error-rejection procedure followed by 
a one-way CSS-hke EPP. 



4.1 Error-rejection with two-way classical 
communication 

The error-rejection procedure under consideration is the 
so-called B-step entering a two-way post-processing of the 
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Gottesman-Lo-type |15II29| . It is basically a purification 
process with two-way classical communication and its prop- 
erties have been thoroughly discussed in the literature 
J15II2HII8()II81II82| . In all these investigations, the authors 
mainly focus on the influence of the B-steps on the error 
rates as all the involved qubit-pairs are identical. In our 
case, however, the situation is substantially different as 
the qubit-pairs involved in a B-step may be tagged or un- 
tagged. Given that Eve has full information on Bob's qubit 
in the former case, in addition to error rates we have to 
keep track of any changes in the rate of tagged qubit-pairs 
during B-steps. 

Let us start by briefly recapitulating the stages of a 
B-step. Alice and Bob randomly form tetrads of qubits 
by pairing up their qubit-pairs. Then, within each tetrad 
they apply a bilateral exclusive-OR operation (BXOR) 
i.e., they apply the local unitary operation XORa-,b '■ 
\x)a.® \y)h i-^ \x)a.® \x®y)h, on their halves. Thereby, ® 
denotes addition modulo 2 while a and b denote the con- 
trol and target qubit, respectively. Accordingly, for the 
two qubit-pairs constituting the random tetrad we have 
the following map in the Bell basis 



BXORa 



i*h^) ® l*i^' 



x,yl 



I* 



(a) 



l*lel.J(15) 



where i,j,x,y € {0,1} and the Bell states are denoted 
by l^o.o) =_ |*+), |%i) = I*'), 1^1,0) = |^+), and 
l^i^i) = |\[' ). Subsequently, Ahce and Bob measure their 
target qubits (b) in the Z-basis and compare their out- 
comes. The target pair is always discarded while the con- 
trol qubit-pair is kept if and only if their outcomes agree 
i.e., if and only if i = a;. In general, this procedure is re- 
peated many times (many rounds of B-step). 

Consider now that Alice and Bob apply the B-step pro- 
cedure we have just described on their pairs before switch- 
ing to a CSS-like EPP. Recall also that the quantum state 
of all N qubit-pairs shared between Alice and Bob at this 
stage of the QKD protocol has the general tensor-product 
form given in equations p2ll^^|l . Depending on whether 
the qubit-pairs forming a random tetrad are untagged or 
tagged or only one of them is tagged we may distinguish 
four different cases. 

1. Untagged target and control pairs. According to equa- 
tions (|12I13|) . such a pairing occurs with probability 
(1 — Z\)^, while each of the qubit-pairs is in the Bell- 
diagonal quantum state (|10|) . Hence, provided that Al- 
ice's and Bob's measurements agree, the control pair is 
kept and is mapped again onto a Bell-diagonal quan- 
tum state of the same form, but with renormalized 
parameters |15| 



9i 



(9i + 9z)^ + [qi -qzf 



Qx = 



2Qu.s 


1 


(91 + 9z)^ - (qi - 


-q.? 


2Qu^s 


1 


(9X + qy)^ + (Qx - 


-qyf 


2Qu.s 




(& + qyf - {qx 


-qy? 



where Qu^s = [qi + q^Y + (^x + ^y)^ is the probability 
with which the control qubit-pair is kept. Moreover, 
conservation of probability requires the relation qi -)- 

qz+ qyi + qy = q[ + ql^+ q'^ + q'y ^ 1. 

2. Tagged target and control pairs. In view of equations 
(|12I13|) such a pairing takes place with probability A^ . 
The two pairs are in the same Bell-diagonal state given 
by equation ^ , and thus the map Hlt)|) applies also in 
this case. Setting gx = 9y = and qi = q^ — 1/2, we 
have that the control pair always survives and is again 
tagged i.e., its state is given by Q- 

3. Tagged target pair and untagged control pair. Such a 
pairing occurs with probability Z\(l — A). Using the 
map H15() and the form of the states r and a given by 
equations H10|l and JHJ respectively, one immediately 
obtains that for the case under consideration the con- 
trol pair survives with probability (5t,s — {qi + gz) and 
is left in a quantum state of the form . Knowing that 
one of the purifications of such a state is equation ^ , 
and giving all the purification to Eve |20j , we may con- 
clude that the state of the surviving control pair refers 
to the tagged state of equation ||SJ|. In other words, the 
initially untagged control pair becomes tagged when 
paired with a tagged target pair. This is equivalent 
to the XOR operation of an unknown classical bit S 
with a totally known classical bit M . Since the target 
bit T = S" © M is announced publically, S becomes 
perfectly known to Eve. 

4. Untagged target pair and tagged control pair. This is 
equivalent to the previous case. 

In summary, only cases in which both pairs involved in 
a random tetrad are untagged can lead to an untagged 
surviving qubit-pair which may later on result to a secret 
bit for Alice and Bob. In all other cases. Eve has a perfect 
copy of Bob's surviving tagged qubit. 

A qubit-pair initially prepared in the mixed quantum 
state (I13|l with a and t given by equations and (|10|l 
respectively, survives the first B-step with probability 

P,'= {l-AfQ^,, + 2A{l-A)Qt,, + A^. (17) 

Moreover, its new quantum state is given by 

p' = A'a+(l-A')T', (18) 

with the renormalized tagging probability 



[A^ + 2A{l-A){qi + q,)] 
Pi 
and with the untagged renormalized quantum state 

r' = g;|<i>+>(a>+|+g^|$-)(ci>-| 



(19) 



(20) 



'^^/u.s 



(16) 



where the new probabilities {qi,q'z,qy,q'z) are determined 
by equations H16|l . Correspondingly, the bit-error proba- 
bility of this new quantum state is given by 

6' = il-A')Si,, = {l-A'){q'^ + q'). (21) 
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As a result of the B-step, however, the probabihties of 
bit and phase errors for an untagged qubit are not equal 
anymore. In particular, we have 



'^U^l'/z+O- 



(22) 



Consider now that immediately after one such B-step 
Alice and Bob switch to a one-way CSS-like EPP to distill 
a secret key. The overall asymptotically achievable secret- 
key generation rate is given by the corresponding modifi- 
cation of equation Q i.e., 



-Rbcss — 



P P' 



2/3 



{l-A'-H{5')-[l-^)H{5[,^^)) 



(23) 



where Z\', 5' and (5p ^ are given by equations (|17I22|) . The 
additional factor of 1/2 accounts for the target qubit- 
pairs which are always thrown away during the B-step. 
With the help of the recursion relations H16|l and l|19|l 
asymptotically achievable secret-key generation rates can 
also be determined for cases in which B-steps are applied 
iteratively before the final use of the one-way CSS-like 
EPP. In that case, however, the factor of 1/2 should be 
replaced by 1/2", for n B-steps. The rate -Rbcss is there- 
fore a generalization of the GLLP rate i?css to a post- 
processing where the one-way CSS-like EPP is initialized 
by a number of B-steps. Indeed, the rate H23(l directly re- 
duces to the rate (jSJ in the absence of B-steps i.e., by 
setting iq[,q'^,q'y,q'J = (qi, fe, 9y, 9z), Ps = 1, Z\' = A, 
and dropping the factor 1/2. 
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Fig. 2. Four-state protocol. Secret-key generation rates result- 
ing from multiple applications of B-steps followed by one-way 
CSS-based post-processing: The solid vertical line indicates the 
maximum allowed distances according to inequality Q. The 
dotted line is the asymptotically achievable distance according 
to inequality 1311 . The parameters are the same as in Figure 

m 



for the six-state protocol, and 
gx = qz 



(27) 



for the four-state protocol, respectively. 

In the case of the six-state protocol the constraints 
- I26II fully determine the initial values of the probabilities 
(fflj qx,qy,qz)- More precisely, we have 



4.2 Numerical simulations and discussion 

In our simulations, we adopt the most pessimistic ap- 
proach i.e, we consider an eavesdropper with unlimited 
technological power [T^. In particular, we attribute all 
the estimated bit-error rate 5 to Eve, assuming that she 
possesses the corresponding information on the key. We 
thus give Eve all the power to replace the lossy channel 
by a perfect one (as described in Sect. l2.2|l . and to adjust 
the two contributions in S (that is, i5opt and Sdct) at her 
own benefit (see also related discussion in Ref. 12). For- 
mally speaking, combining equations lj2Il and H14(l . at the 
beginning of the first B-step we have 



S = {I - A)iq^ + qy) = 



So P^lr' 



_1 pdark 
2 cxp 



(24) 



exp 



where Poxp, -flip"'*' and A are defined in Sect ion IT^ How- 



ever, as we discussed in Section rTTl the probabilities (gi, gx, 
entering the map (|16|l are not independent. The normal- 
ization condition for the state H10() implies that 



qy^qz = 



psignal I _1 pdark 
cxp ~^ 2 cxp 

2(1 - A)P, 



gi = l 



3 (<5o Pi 



ienal 



cxp 



cxp 
2 ^cxp / 



2(1 - A)P, 



(28) 



cxp 



On the contrary, such a unique choice is not possible for 
the four-state protocol and we have one open parameter 
left that is, < gy < 1. It is known, however, that for 
the map 1)16(1 . the choice gy = gives rise to the largest 
resulting value of the phase-error probability and to the 
smallest resulting secret-key rate ^Hl- Therefore, in the 
case of the four-state QKD protocol we can restrict our 
subsequent discussion to the initial condition 



9y 



0, 



dark 



gx = (jz = 



: psignal I Ip- 
^0 ^ cxp ' 2 cxp 



gy^gzJ 



91 = 1- 



(1 - A)P, 
2 ((5o -Pc/'"'''' 



cxp 



cxp 

1_ pdark \ 
2 -'cxp ) 



(1 - A)P,, 



(29) 



qi = l- q^- qy - qz 



(25) 



while due to symmetry between all the bases used in the 
QKD protocols under consideration we have one addi- 
tional constraint. That is, 



gx = qz 



1y 



(26) 



Clearly, in both cases all the probabilities are distance- 
dependent. Indeed, the larger the distance between Alice 
and Bob becomes, the more power Eve has as she may 
take full advantage of all losses, noise, and imperfections. 
We turn now to present and discuss numerical results 
regarding the effect of apphed B-steps on the the secret- 
key rates, for various QKD qubit-based protocols. For 
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Fig. 4. Maximum achievable distance for different numbers 
of B-steps for the four-state (lower curve) and the six-state 
protocol (upper curve). 



short distances (i.e., length of the fiber I) where no B- 
steps are necessary, the secret-key rate is basically deter- 
mined by equations lO, ® and Q, as in Section lOI 
However, for secret-key distribution over larger distances 
application of B-steps prior to post-processing by one-way 
CSS-like EPP is a necessity and the corresponding secret- 
key rate is given by (|23|l combined with equations H17I22|I 
and the initial condition for B-steps H28|l or ()29|l . In any 
case, for a given distance we optimize the mean number of 
photons to obtain the maximum possible secret-key rate. 
The influence of different numbers of B-steps on i?BCSS 
is depicted in Figures [3 and El for the four- and the six- 
state protocol, respectively. Whereas for the parameters 
chosen in the absence of any B-steps the maximum possi- 
ble distance over which a secret key can be distilled with 
a significant rate is of the order of 25 km for both proto- 
cols, this distance increases significantly if Alice and Bob 
perform a few B-steps before switching to the one-way 
CSS-like EPP. More precisely, one application of a B-step 
already increases this maximum possible distance to ap- 
proximately 30 km in the four-state and to 34 km in the 
six-state protocol. One may observe a sudden increase in 
the secret-key generation rate on applying a B-step. This 



is because a B-step decreases the bit-error rate signifi- 
cantly and thus the effect of dark counts becomes less sig- 
nificant. However, for larger distances, dark counts again 
become dominant, resulting in a new dip in the key gener- 
ation rate unless a second B-step is applied. For increasing 
numbers of B-steps this effect becomes less dominating as 
the phase-error probability of the untagged pairs increases 
after each B-step ^15,29^ and therefore dark counts be- 
come effective in the phase-error part. It can also be no- 
ticed that in the six-state protocol each B-step results in 
a larger increase of the maximal achievable distance with 
less reduction of the secret-key generation rate compared 
to the four-state protocol. Basically, this is due to the fact 
that the six-state protocol can sustain higher error rates. 
Finally, as depicted in Fig. 0] multiple applications of B- 
steps quickly increase the maximum possible distances al- 
most up to approximately 37 km for the four-state and to 
44 km for the six-state protocol. 

Let us now explore to which extent multiple applica- 
tions of B-steps are capable of approaching the limiting 
distances resulting from equation Q for the two QKD 
protocols under consideration. These latter distances are 
indicated by full vertical lines in Figures |21 and O Fol- 
lowing the arguments of Ref jSi which form the basis for 
the secret-key generation rates of equations ^ and if^ , 
for our purpose it is sufficient to explore the possibility 
of purifying only the untagged qubit-pairs by B-steps. As 
demonstrated in Ref. |32| . the inequality 



'^'-\ 



1 



> 



1 

8' 



(30) 



is a necessary condition for the purification of a Bell- 
diagonal state of the form (|10() by a sequence of B-steps 
followed by a CSS-like EPP. Therefore, using equations 
(|24I27(I inequality 1)30(1 yields for the two protocols 



A< 



1 — 5(5 four-state protocol 

5 (2 — 55 — VbS) six-state protocol. 



(31) 



The other solutions of the inequality l|^ do not satisfy 
the necessary condition for secret-key generation given by 
0. 

In Figure |S1 we plot the possible values of the effective 
tagging probability A and the estimated bit-error rate 5 
consistent with the necessary conditions Q and l|^ . for 
the four- and the six-state protocols. These are basically 
parameters which can be estimated by Alice and Bob. Ac- 
cording to the necessary condition JTJ, secret-key distil- 
lation is, in principle, possible everywhere except in the 
black regime. One may notice, however, the small grey re- 
gion which (although allowed by inequality0l is not acces- 
sible to a post-processing involving B-steps and a CSS-like 
EPP. The upper bounds on distances resulting from the 
inequalities 1(31(1 are indicated by the vertical dotted lines 
in Figures [3 and O 

From Figures 12 121 and 01 it is apparent that these lat- 
ter threshold values for the maximum possible distances 
are approached already after a few iterations of B-steps 
followed by a CSS-like EPP. Thus, such a combination 
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and CSS-like EPP. 



yields a useful method for counteracting the influence of 
dark counts on the secret-key rate. However, from Fig- 
ures |21 and O it is also apparent that at the same time the 
secret-key rate decreases considerably with the application 
of more than two B-steps. 

As decoy-state protocols were developed in order to 
suppress imperfections arising from multiphoton pulses it 
is of interest to explore the influence of B-steps on the cor- 
responding achievable secret-key generation rates. For this 
purpose let us consider a decoy-state protocol involving 
two decoy WCPs with mean photon numbers k < u ful- 
filling the additional requirement k exp(— k) < v exp(— j/), 
and a signal pulse with mean photon number ^i > k + v. 
Therefore, the decoy pulses are detected with probabilities 
Pcxp and Pexp obeying the relations |17II18| 

^ixi! - ^clc^'^e-" + siKe-'^ -K s„,(l - e-'^ - ne"'), 



(32) 

Thereby, Sm is the conditional probability that the detec- 
tor clicks provided a multiphoton pulse with mean photon 
number k, hits the detector, whereas si is the correspond- 
ing probability for single- photon pulses. Using (|32|l we ob- 
tain 



Sl 



> 



u^e-P^iil 



2 up{i^) 
ri> ^ ± CXD 



(.2 



2"^ pdark 



n^)P; 



cxp 



ny{y 



si(33) 



The inequality in the second line of H32(l is valid provided 
the inequalities n < v and n exp(— k) < u exp(— i/) are ful- 
filled. Correspondingly, the probability Zi^ of multiphoton 
signal pulses can be upper-bounded as follows 



A„ < 1 



sifie 



Pc 



(m) 



Z\,. 



(34) 



To investigate the influence of B-steps on the achiev- 
able secret-key rates in the context of QKD protocols with 
decoy pulses, we can adapt our previous arguments eas- 
ily. In particular, a lower bound on the resulting secret- 
key generation rate is obtained from equations l|16(l . p7() . 
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Fig. 7. Six-state protocol with decoy pulses: The parameters 
are the same as in Figure El 



(fTn)l , (|^ , and f^ . Thereby, the recursive relations have 
to be solved by setting A = A^ in the initial conditions 
(I28|l and H29I) for the six- and the four-state protocol, re- 
spectively. These initial conditions take into account that 
the phase-error probability can be bounded from above by 
(5/(1 — A^). The resulting lower bound on the secret-key 
generation rate and its dependence on the length of the 
optical fibre used for the transmission of photons are de- 
picted in Figures El and d for the four- and the six-state 
protocol, respectively. Following Ref. ^\ , we have chosen 
/I, K and V equal to 0.55, 0.10 and 0.27, respectively. Typi- 
cally, multiple application of B-steps increase the distance 
over which a secret key can be exchanged significantly. The 
maximum distances and their dependence on the number 
of applied B-steps is shown in Figure (HI for both protocols 
with decoy pulses. The asymptotically achievable maxi- 
mum distances of the order of 80 km are reached already 
after a few B-steps. Moreover, it is worth noting that the 
net increase in distance of about 15 km (after 2 or 3 B- 
steps) is the same as that for the conventional four- and 
six-state protocols. 

In closing, we would like to stress once more that, al- 
though our results have been formulated in the frame- 
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(upper curve) protocols with decoy pulses. 



was demonstrated that such a post-processing may con- 
siderably increase the maximum distances over which a 
secure key can be distributed in optical-fiber links. 



Hence, incorporation of B-steps in the post-processing 
stage of practical implementations of the protocols is proven 
to be particularly useful. The usefulness of B-steps is also 
one of the main results of a recent thorough investigation 
of decoy-state protocols presented in Ref . |22I . On the con- 
trary, P-steps of the Gottesman-Lo type do not seem to be 
as useful as B-steps. Indeed, all our numerical simulations 
demonstrate that a few applications of B-steps are suffi- 
cient to bring the maximal secure distances very close to 
the upper bound. Recently, this inessentiality of P-steps 
has been pointed out by other authors as well |32II33II34| . 



work of the two-way EPP-based versions of the four- and 
the six-state QKD protocols, they also apply to the cor- 
responding prepare-and-measure schemes. According to 
Theorems 5 and 6 in Ref. J2| such a reduction is pos- 
sible without compromising security, due to basic proper- 
ties of the B-step and the one-way CSS-like EPP. Let us 
briefly highlight the main steps in this reduction. In the 
terminology of ^15^ . a B-step involves only measurements 
of the form Za ® Z-q for the purpose of bit-flip error de- 
tection and subsequent rejection. Hence, no post-selection 
based on phase-error syndromes takes place during the 
two-way part of the post-processing. In the one-way CSS- 
like part each operator being measured is either of X- or 
-E-type (definitions 1 and 4 of Ref. j^) while, at any rate, 
earlier measurements do not affect the sequence of sub- 
sequent measurements. Moreover, all the operators com- 
mute with each other and thus all the measurements of 
-Z-type can be performed before all the measurements of 
-f-type. To complete the reduction, one has to note that 
.Y-type measurements at the end of post-processing yield 
phase-error syndromes which do not affect the value of the 
final key and thus Alice and Bob do not have to perform 
them [3|. In the resulting prepare-and-measure schemes 
the classical post-processing involves a number of two- 
way error-rejection steps (parity checks) and additional 
one-way post-processing (error-correction and privacy am- 
plification) based on asymmetric CSS codes. The phase- 
error syndrome measurements become effectively privacy 
amplification (3j. 



5 Concluding remarks 

We have analyzed secret-key generation rates in the pres- 
ence of imperfections arising from tagging of Alice's source 
and from dark counts at Bob's detectors. In particular, we 
considered a post-processing procedure (error correction 
and privacy amplification) based on a combination of B- 
steps and asymmetric CSS codes. As a main result, for the 
four-state, the six-state, and the decoy-state protocols, it 



We would like to conclude this work with a discus- 
sion about certain assumptions underlying our approach 
and related possible open questions. Our model for sources 
and detectors is not as general as possible and it suffers 
from the same limitations as the model adopted in Refs. 
[^1()II11II12| . For instance, we have focused on imperfect 
sources which tag a fraction of the signals in an uncorre- 
lated and independent manner. In other words, we have 
not considered the case of coherent or other highly cor- 
related basis-dependent tagging [5j. In this context, our 
analysis has been based on a particular class of eavesdrop- 
ping attacks where the sets of tagged and untagged qubits 
are attacked separately. Each tagged qubit is treated in- 
dividually (by means of a PNS attack) whereas untagged 
qubits undergo a coherent (joint) attack. In this way, on 
the one hand we essentially give Eve a perfect copy of 
the part of the key originating from tagged signals, while 
on the other hand we give her all the power to retrieve 
as much information as possible about the remaining bits 
of the key. It is plausible that, for a fixed bit-error rate, 
this is the most powerful attack one may consider in the 
framework of the particular model for sources and detec- 
tors. However, we would like to emphasize that this work 
shows how incorporation of B-steps prior to one-way CSS- 
based post-processing can postpone certain dark-count ef- 
fects thus increasing the distances over which a secret-key 
can be distributed. This result is quite general and is not 
expected to change in the case of other, perhaps more effi- 
cient and more powerful, eavesdropping strategies. Indeed, 
as pointed out in Refs. 10.:T^. the maximum secure dis- 
tances for WCP-based QKD are not limited by the eaves- 
dropping strategy under consideration but rather by the 
actual detector performance and especially by the dark- 
count rate. Finally, throughout this work we have also not 
addressed the case of imperfect sources which emit weak 
coherent pulses with nonrandom phases or highly dimen- 
sional signals [5j. At any rate, all of these issues depend on 
how well the two legitimate users know their devices (e.g., 
source and detectors) and how reliably they can character- 
ize them by means of other, perhaps untrusted, apparatus 
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